Administration Priorities for Cybersecurity Information Sharing Legislation

1) Liability Protections: The Administration supports providing narrowly targeted liability

protections to incentivize broader cybersecurity threat information sharing. Appropriate
liability protections should incentivize good cybersecurity practices and should not grant
immunity to a private company for failing to act on information it receives about the security
of its networks. Such a provision would remove incentives for companies to protect their
customers' personal information and may weaken cybersecurity writ large. There is a danger
that providing a good faith exception for a failure to act on information received could create
a moral hazard and discourage companies from responding appropriately to cyber threat
indicators they receive. Moreover, the standard of proof for liability in H.R. 1560 may be
extraordinarily difficult to meet, thereby creating a disincentive for parties to exercise care in
their use or dissemination of cyber threat information. As such, the Administration
strongly prefers the liability protections in S. 754.
2) DHS Portal: The Administration supports authorizing new liability-protected sharing
relationships only through the National Cybersecurity and Communication Integration Center
(NCCIC), a civilian entity within the Department of Homeland Security. Additionally, the
Administration supports real-time sharing between the NCCIC and relevant Federal agencies,
with appropriate privacy protections, and has preliminarily deployed such a capability at
DHS. Focusing real-time sharing through one center at DHS enhances situational awareness,
facilitates robust privacy controls, and helps to ensure oversight of such sharing. In addition,
centralizing this sharing mechanism through DHS will facilitate more effective real-time
sharing with other agencies in the most efficient manner. Legislation that designates multiple
points of entry for sharing cyber threat information with the Federal government will
exponentially complicate efforts to ensure real-time sharing. The Administration strongly
supports the DHS portal established in S. 754 or Title II of H.R. 1560.
3) Defensive Measures: The use of defensive measures without appropriate safeguards raises
significant legal, policy, and diplomatic concerns and can have a direct deleterious impact on
information systems and undermine cybersecurity. Moreover, certain provisions may
prevent the application of laws such as State common law tort remedies. Legislation should
not create a backdoor exception to 18 U.S.C. 1030 by allowing defensive measures that
access other computers without authorization. Language in S. 754, which prohibits the use
of a countermeasure to provide unauthorized access to another entitys network, helps
mitigate this concern. As such, the Administration strongly prefers S. 754s definition of
a defensive measure.
a) Distinguish Monitoring from Defensive Measures: Both Title II of H.R. 1560 and S. 754
include monitoring activity within the definition of a defensive measure. The
consequences of the overlapping terms in S. 754 and Title II of H.R. 1560 are unclear.
However, a lack of clarity may create uncertainty as to whether an entitys activity to
detect an intrusion is an authorized monitoring activity, which is covered by the bills
liability protections, or a defensive measure, which is not. The final bill should not
1

include language, such as detects, that overlaps with the definition of monitoring in the
definition of a defensive measure.
4) Privacy Scrub:
a) Private Sector Requirement: The Administration Supports requiring private entities to
take reasonable steps to remove irrelevant personal information when sending
cybersecurity data to the government or other private sector entities. The
Administration supports language in Section 203(i)(3)(C) of H.R. 1560 or,
alternatively, in Section 103(d)(2) of H.R. 1560 that requires companies to take
reasonable efforts to remove personal information unrelated to a cyber threat.
b) Government Requirement: The Administration supports real-time sharing amongst
Federal agencies with appropriate privacy protections. Such sharing must preserve the
governments ability to remove or redact personal information that is unrelated to a
cybersecurity threat. As such, the Administration strongly prefers S. 754s
formulation, which allows cyber threat indicators to be modified pursuant to
protocols developed by relevant agencies.
5) Proprietary Restriction: Language that allows a sharing entity to designate cyber threat
indicators as proprietary will complicate information sharing within the government and
from the government to the private sector. It could put the government in the position of
knowing about a threat and not being able to share information about it. For instance, were a
sharer to deem a technical indicator as proprietary, the government could be prohibited from
further anonymizing such indicator and sharing it with other private entities to help them
protect their systems from a threat. It could also confuse private sector entities if they label a
particular indicator as proprietary, but the government already had received that particular
indicator from another independent source. The Administration proposes that any final
language includes a provision that appropriately protects proprietary information in a
manner that does not inhibit the governments legitimate use of cyber threat indicators.
a) Recommended text: Consistent with section 104(c)(2) or [103(C)(2)], a cyber threat
indicator or defensive measure provided by an entity to the Federal Government under
this Act shall be considered by a private entity the commercial, financial, and proprietary
information of such originating entity when so designated, consistent with applicable law
and as otherwise appropriate, by the originating entity or a third party acting in
accordance with the written authorization of the originating entity.
6) Cyber Threat Intelligence Integration Center: The complexity and pace of cyber threats
requires that we have a dedicated cadre of experts who can focus on integrating multiple
intelligence analyses so that policymakers and operators can receive community-wide views
on cyber threats in short order. The CTIIC will not replace the functions performed by
existing departments, agencies, or government cyber centers. Instead, it is intended to support
those entities missions for example, the CTIIC will help ensure that indicators of
malicious activity are downgraded to the lowest possible classification level to facilitate
2

seamless intelligence flows among centers, including those responsible for sharing with the
private sector. In particular, the final bill should not include a statutory cap on the number of
personnel at CTIIC; such limitations should be enforced through the annual budget and
authorization process. The Administration supports authorization of the CTIIC in Title
I of H.R. 1560, but would seek to ensure that its mission and resource requirements
align with the functions set forth in the Presidents February 15, 2015 Memorandum.
7) EINSTEIN Authorization: The Administration supports provisions that will improve the
cybersecurity of Federal networks and systems while protecting privacy and confidentiality.
The Administration supports EINSTEIN authorization language in both S. 754 and
Title II of H.R. 1560.

Sunset: It is recommended that any sunset of EINSTEIN authority in the final bill should
match the bills overall sunset.

National Security Systems: Legislation should preserve the roles of appropriate agencies
to maintain security for national security systems. The final bill should include language
in S. 754 that exempts national security systems and information systems of the
Department of Defense and the Intelligence Community.

8) Authorship of Sharing Procedures: The Administration supports the provisions in S. 754

that assign responsibility for the development of information sharing-related procedures to
each of the appropriate Federal agencies.
9) DHS Structure: The Administration supports provisions in Title II of H.R. 1560 that
authorize the National Protection and Programs Directorate. The final bill should include
that language, however, NPPD should be renamed as Cyber and Infrastructure Protection
(vice Cybersecurity and Infrastructure Protection) and the provisions that codify NPPDs
leadership should not require two Deputy Under Secretaries that must be appointed by the
President and confirmed by the Senate.
10) DHS Authorities:
a) Agreements: Section 203(i) of Title II of H.R. 1560 restricts DHSs ability to enter into
or terminate information sharing relationships. Such restrictions could negatively impact
DHSs operations and create unnecessary litigation exposure. The final bill should not
include such provisions, or in the alternative, Section 203(i) should be amended to
provide DHS with appropriate flexibility to enter into or terminate information sharing
relationships.
b) Direction to Agencies:
i) Emergency Directives: Section 209 of S. 754 provides DHS new authorities for
Federal cybersecurity. Portions of Section 209 are duplicative of provisions in the
3

Federal Information Security Modernization Act passed in 2014 (FISMA 2014). The
Administration is currently developing policies and procedures to implement that law,
including the use of binding operational directives. Section 209(a) pertaining to
"emergency directives should not be included in the final bill, or in the alternative,
should be amended to align with FISMA 2014.
ii) Imminent Threats: Section 209 of S. 754 provides DHS with authority to direct
agency actions in the event of an imminent threat to an agencys network. The
Administration is currently developing policies and procedures to implement new
authority provided in FISMA 2014, which includes the use of binding operational
directives. Section 209(a) pertaining to "imminent threats should not be included in
the final bill, or in the alternative, should be amended to align with FISMA 2014.
11) Government-to-Private Sharing: Language directing the government to develop
procedures to enhance sharing efforts with non-Federal entities should track current law and
practice. Language in S. 754 that requires all appropriate agencies participate in developing
such procedures should be included in the final bill.
12) Notification Requirement Regarding Misuse of Data: Section 103(b)(1)(F) of S. 754
requires notification only to any United States person whose data was shared in violation
of the Act. Limiting notification only to any United States person in the case of sharing in
violation of the Act is inconsistent with the principle that privacy is a worldwide value that
the United States respects and which should be reflected in how all governments handle a
persons data regardless of their nationality. This principal is fundamental to our engagement
with bilateral and intergovernmental partners, including the European Union, APEC and
OECD. It is recommended that the final bill require notification to any person whose
information has been misused.
13) Unnecessary Prohibitions on Intelligence Activity: Language in both Title I and Title II of
H.R. 1560 would improperly restrict appropriate intelligence activities that are necessary
cybersecurity activities. For instance, a department CIO attempting to identify the origin or
malware on the departments system might run afoul of the restrictions. The final bill should
not contain unnecessary restrictions on surveillance activities, or in the alternative, should
properly restrict unrelated surveillance activity: Nothing in this title or the amendments
made by this title shall be construed to create new authorization for an element of the
intelligence community to target a person for surveillance.
14) Anticompetitive Conduct: The Administration supports targeted liability protections that do
not immunize anticompetitive behavior. The rule of construction in Section 108 of S. 754
should be included in the final bill.
15) Definition of Monitor: The definition of network awareness in Title II of H.R. 1560
suggests that identifying, acquiring, logging or analyzing information is activity separate and
apart from monitoring, contrary to the general understanding of the scope of that term. This
4

ambiguity introduces uncertainty, contrary to the purpose of this Act. The final bill should
include the definition of monitor in S. 754 or Title I of H.R. 1560.
16) Use of Indicators for Law Enforcement Purposes:
a) Title II of H.R. 1560 does not contemplate the use of cyber threat indicators for law
enforcement purposes. While the primary use of indicators will be for cybersecurity,
many indicators will also contain information regarding cyber crimes, and may contain
information regarding non-cyber crimes and non-cyber threats. The final bill should track
the Administrations proposal and allow for limited, specific law enforcement use of
cyber threat indicators for these non-cybersecurity purposes.
b) As with cyber threat indicators shared with Federal law enforcement agencies, indicators
shared with state, local, tribal, and territorial (SLTT) agencies could contain information
regarding, or be indicative of, threats or criminal activity over which an agency has
jurisdiction. SLTT law enforcement agencies should not, as they would in S. 754, have
to get permission from the sharing private sector entity to the use the cyber threat
indicator for law enforcement purposes.
17) Explicit Exclusion of DOD/NSA: Language in Title I of H.R. 1560 unnecessarily excludes
DOD and NSA from the bills direct sharing authorization. Though the Administration
supports liability-protected sharing through only DHS, it seeks to ensure the preservation of
existing sharing relationships and the growth of future sharing relationships under current
law. While unintended, language calling for non-sharing with DOD and NSA may create a
perception against sharing with those agencies, even under current law. In addition, such
language could hinder future lawful direct sharing arrangements outside of any liabilityprotected sharing regime. Though we do not support liability-protected sharing for direct
sharing with military and intelligence agencies, the final bill should not include an
unnecessary prohibition on direct sharing under current law.
18) Single Sign-on Trusted Identity System: GSA operates Connect.gov, which provides a
government-wide authentications system that allows a consumer to use a government
approved third-party credential for access to agency public websites. While the system is
capable of employing single sign-on, this provision would prevent individual agencies from
being able to authenticate a user before providing them access to digital services. If Section
205(b)(1)(D) of S. 754 is included in the final bill, it should be amended to replace single
sign-on with shared, government-wide.
19) International Reporting Requirements: Section 402 of S. 754 requires preparation of a
cyberspace strategy and associated reporting requirements that are overbroad and duplicative
of existing U.S. strategy. The Administration requests that is be removed from the final bill,
or in the alternative, that several changes be made to such language if it should be included in
the final bill.
a) Extend the timeframe to 180 days;
5

b) Narrow the scope of the report to cover international security policy with respect to
cyberspace.
c) Clarify Section 402(a) so that any strategy or report on the State Departments strategy
should be limited to a discussion of the State Departments efforts to implement the
Presidents International Strategy. Thus, a revised version of Section 402(a) could read
as follows: the Secretary of State shall produce a report describing the Department of
States a comprehensive efforts strategy to implement the Presidents International
Strategy for Cyberspace related to promoting [international security OR security in
cyberspace]. In the alternative, if the strategy remains focused on a broader array of
topics not specifically within the purview of the State Department, it is requested that the
bill include other appropriate agencies in the reporting requirement.
d) Make edits to Section 402(b)(2): A description of the Secretary of States plan of action
for diplomacy to guide the diplomacy of the Secretary of State, with regard to foreign
countries, including conducting bilateral and multilateral activities to develop promote
the norms of responsible international behavior in cyberspace, and status review of
existing discussions in multilateral fora to obtain agreements on international norms in
cyberspace.
e) The section of the report that requires State to produce an annual report on efforts to
extradite cyber criminals is more appropriately tasked to other agencies with relevant
authorities.